do you need to use mysql_real_escape_string on a remember me check box? is there any way the user could change the value? I guess it wouldn't hurt to do it anyways...

04-30-2012, 12:43 PM

NogDog

Yes, a "user" could change the value by submitting his/her own http request, totally bypassing what's in your form.

04-30-2012, 12:44 PM

droidus

you mean through the URL, using get?

04-30-2012, 07:09 PM

NogDog

Or via cURL using post, or just creating their own HTML form with the action URL and form field names matching what's on your form page -- which is why you can never depend on client-side (i.e. JavaScript) validation for any important form validation.

04-30-2012, 11:35 PM

3DSHub

Why don't you simply have PHP check what the value of what the server receives?